[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

Ben Laurie ben at links.org
Sun Jan 6 08:53:40 EST 2013

On Sun, Jan 6, 2013 at 1:15 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Ben Laurie <ben at links.org> writes:
>>On Sat, Jan 5, 2013 at 1:26 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>>> In the light of yet another in an apparently neverending string of CA
>>> failures, how long are browser vendors going to keep perpetuating this PKI
>>> farce? [0].  Not only is there no recorded instance, anytime, anywhere, of a
>>> browser certificate warning actually protecting users from harm [1],
>>This is patently incorrect: Diginotar were caught by a browser warning.
> Well, we think that at least one user was.  We definitely know that 300,000
> others weren't.  That's hardly a triumph of browser PKI.
> Let's look at the figures in more detail.  There are around a billion users of
> the Internet.  Let's say that they go to two SSL-enabled sites a day, probably
> a lower bound but it's just a back-of-the-envelope thing.  That's two billion
> uses of browser PKI a day, let's call it roughly a trillion a year.  SSL has
> been around in significant volume for, say, about 15 years, so that's 15
> trillion uses.  The number of people who reported being warned about the
> Diginotar cert was, say, a dozen or so, and of that we don't know how many
> ignored the warning and clicked through anyway, as they've been conditioned to
> do.

My understanding is you can't click through a pinning warning.

> There are figures from an earlier invalid-cert case in which exactly one
> user out of 300 was turned back by the warning, but let's be generous and say
> it was two users who were turned away.  So out of 15 trillion uses of browser
> PKI, two worked to protect users.  In other words it has an effectiveness rate
> of one in seven trillion.

a) I don't believe your figures, and

b) You are not counting all the people who were protected by the early
detection of Diginotar.

> That pretty much makes browser PKI the homeopathy of security.
>>Certificate Transparency is a real security measure that is a response by a
>>browser vendor.
> So the response to the repeated failure of browser PKI is PKI-me-harder.
> Yeah, that's really going to make users safer.

I suspect you don't understand CT - perhaps you'd care to explain why
it is PKI-me-harder?

In any case, its time you updated your out-of-date rant - or, even
better, explained your solution to the problem.

More information about the cryptography mailing list